Brute Forcing Passwords with THC-Hydra

What is THC-Hydra?

Hydra is a very fast online password cracking tool, which can perform rapid dictionary attacks against more than 50 Protocols, including Telnet, RDP, SSH, FTP, HTTP, HTTPS, SMB, several databases and much more. THC (The Hackers Choice) created Hydra for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely.

Installing THC-Hydra

If you are running Kali Linux you will already have a version of Hydra installed, for all other Debian based Linux operating systems download from the repository by using.

Hydra-GTK

Hydra GTK is a GUI front end for hydra, as this is a GUI for hydra you do have to have THC-hydra already installed. I f you are running Kali Linux this will already be pre-installed for everyone else you can install it by typing.

sudo apt-get install hydra-gtk

Once installed you will have a new application called xHydra, open this up and you should see a window that looks like this.

Brute Force \Dictionary Attack

Hydra can use either a dictionary based attack, where you give Hydra an explicit list of words for it to try or a brute Force attack which will try every single possible combination of letters each one has its benefits and drawbacks.

Dictionary Attack will use a precompiled list of words or word list, this will speed up the cracking process over brute force because the program will only run through each word in the wordlist but if the word is not in said word list your attack will fail.

If you are running Kali you will already have a whole bunch of word lists for you to use, just type locate wordlist in a terminal to find their location.

For everyone else not running Kali, you can download some good word lists from SkullSecurity.org password wiki, look for the rockyou.txt as this is what I will be using in my examples below.

If this was a targeted attack against someone you could use something like CUPP (Common User Passwords Profiler) to create a wordlist more specific to the target. It takes birthday, nickname, address, a name of pet, etc. Enter the details you know or what you can find out via social media and it will create a wordlist based on your inputs.

Brute Force will crack a password by trying every possible combination of the password so, for example, it will try aaaa then aaab, aaac, aaae . This quite considerably increases the time the attack takes but reduces the likeliness of the attack to fail.

In hydra, you can use the -x to enable the brute force options. Brute force options have its own help file which you can get to by typing hydra -x -h.

hydra -x -h
Hydra v8.6-dev (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra bruteforce password generation option usage:
-x MIN:MAX:CHARSET
MIN is the minimum number of characters in the password
MAX is the maximum number of characters in the password
CHARSET is a specification of the characters to use in the generation
valid CHARSET values are: 'a' for lowercase letters,
'A' for uppercase letters, '1' for numbers, and for all others,
just add their real representation.
-y disable the use if the above letters as placeholders
Examples:
-x 3:5:a generate passwords from length 3 to 5 with all lowercase letters
-x 5:8:A1 generate passwords from length 5 to 8 with uppercase and numbers
-x 1:3:/ generate passwords from length 1 to 3 containing only slashes
-x 5:5:/%,.- generate passwords with length 5 which consists only of /%,.-
-x 3:5:aA1 -y generate passwords from length 3 to 5 with a, A and 1 only
The bruteforce mode was made by Jan Dlabal, http://houbysoft.com/bfg/

RDP

To set the scene I have a Windows 2012 server with Remote Desktop setup, running in my virtual lab. The virtual machine has an IP of 192.168.34.16 and one user called administrator.

So lets fire up hydra with our rockyou word list and run this command

hydra -t 4 -V -f -l administrator -P rockyou.txt rdp://192.168.34.16

-t 4 This sets the number of tasks that can run parallel together in this example I have used 4 which will send 4 logins at a time. RDP does not like too many connections at the same time so try and keep it at a maximum of 4. It is sometimes worth adding a -w to your command to add a wait between attempts.-V – Verbose this shows you which usernames and passwords on screen as it’s working.-f Quits once you have found a positive Username and Password match.-l administrator – Use the username administrator to attempt to login.-P rockyou.txt– This is the word list that we will be pulling passwords from.rdp://192.168.34.16 – This is the service we want to attack and the IP address.

You should see each attempt as it tries to connect to RDP like pictured below, as we have used the -f command hydra will stop once it has found a positive match.

In Event Viewer on the Windows 2012 server with RDP enabled you will see lots of Event ID 4625 in the security logs. As you can see below this gives away a lot of information to the system admin where the brute force has come from.

If you are the admin of the server who’s RDP is getting brute forced, you can mitigate this by changing the default port RDP listens on or if you have a router that allows you to transpose ports this is probably the better option.

If you’re interested in changing the port RDP listens on in a Windows PC start by opening the registry editor (Regedit).

Once the computer restarts you will be able to connect to it using Remote Desktop Connection as normal but you now need to add a colon (:) then the new port at the end of the address like pictured below.

Another option is to restrict RDP access by telling the windows firewall which IP’s are allowed to connect to the RDP port and which are not. I have already done a tutorial on this check that out here

FTP

Using the same Windows 2012 server I used for the RDP brute force above I installed the latest version of FileZilla Server, which can be downloaded from their website https://filezilla-project.org/

I’m not going to go into the ins and outs of setting up FileZilla server there are plenty of guides for that just google it, just know that I setup this FTP server for one user called admin with a password of [email protected]

Then I run this hydra command in the terminal, notice I have used a capital -L in this command. This specifies a word list which contains a list of usernames. use a lowercase l if you want to specify a single username.

hydra -t 5 -V -f -L userlist -P passwordlist ftp://192.168.34.16

-t 5 this sets the number of tasks or logins it will try simultaneously. I have gone for 5 here but just remember don’t go too high as it may give you false results.-V Verbose this will display the login and password it tries in the terminal for each attempt/-f Quits once hydra has found a positive Username and Password match.-L userlist The capital -L here means I’m using a wordlist of usernames called userlist if a -l was used this specifies a single username to try.-P passwordlist The capital -P here means I’m using a word list called passwordlist if a -p was used this specifies a single password to try.ftp://192.168.34.16 This is the service we want to attack and the IP address of the FTP server

You will see each attempt as it try’s all the specified username and password combinations until it either finds a match or it or runs out of combinations.

As you can see below every attempt is logged in the FileZilla console you can also see all 5 login tasks running at the bottom simultaneously.

.

Within FileZilla, you can enable auto ban to stop a hacker brute forcing the username and password of the FTP. When enabled this blocks the IP address which the hacker is using to login from after a specified amount of failed logins, the default is 10.

Interestingly hydra just continued to try passwords even though my IP was banned it went through the whole username and password list and said nothing in the list matched even though I know the username and password were on that list.

VNC

I have installed VNC server on the Linux mint box on 192.168.100.155 running in my virtual lab then added a password of [email protected] to the VNC server, I have a quick run down on how to set this up in Mint below.

In the past, VNC has been a very insecure program due to having no login name and any password could be set and it does not have to meet any complexity requirements that being said in the newer versions they have added a blacklist feature that will block you after 5 failed login attempts.

So for our brute force to work, I have had to switch off the blacklisting feature by running this command on the Linux Mint box.

This will stop me from blacklisting myself in my test lab, on a live engagement I would suggest increasing the wait time per try in hydra (-W ) to anything over 60 and if you are attacking an older version of VNC this blacklisting feature is not enabled by default.

Also as a little side note don’t use more than 4 tasks (-t 4) in your command as you may find it gives you some false negatives and remember there is no username on VNC connections so we won’t need the -l in our command.

After you have turned off the blacklisting feature run this command in hydra.

hydra -P passwordlist -t 1 -w 5 -f -s 5901 192.168.100.155 vnc -v

-P passwordlist The capital -P here means I’m using a word list called passwordlist if a -p was used this specifies a single password to try.-t 1 This sets the number of tasks or logins it will try simultaneously. I have gone for 1 here but just remember don’t go higher than 4 for brute forcing VNC.-w 5 This sets the wait time between tries I have gone for 5 here but remember to go a lot higher if the blacklisting feature is still enabled-f Quits once hydra has found a positive Password match.-s 5901 This changes the default port for hydra to connect to the VNC server from 5900 to 5901 which was what my VNC server defaulted to.192.168.100.155 vnc This specifies the IP address of the VNC server and the service we want to attack.-v Verbose this will display the password it tries in the terminal for each attempt.

Once the command is run you should see an output like this.

As I said above VNC passwords are notably weak. you should never run a VNC server directly over the internet The blacklist time-out feature prevents some brute forcing of the passwords but if you hit the server slow enough not to get blacklisted it can still be brute-forced.

Instead, you should run VNC server on 127.0.0.1 by adding -localhost to the command line:

vncserver -localhost

then use SSH tunnelling to link a port on your machine to the port on the server.

Then while that SSH connection is alive, you can connect your VNC client to the port 5901 on your machine.

If you want more information about SSH tunnelling check out my tutorial all about SSH here

Just before I finish up with brute forcing VNC you can find the VNC logs in a hidden folder called .vnc in your home folder. The contents of this log will look something like the text below points 1: and 2: you can see hydra trying the wrong password and point 3: is where the password was correct, interestingly it does not seem to give the IP address of the pc I am using to brute force it.

SSH

To set the scene here I have got Linux Mint running in my virtual lab on 192,168.100.155 with SSH installed, On the Linux Mint box, I created a user called admin with a password of [email protected]

I have already done a tutorial on setting up Linux Mint in Virtual Box here

also I have a guide on installing SSH in Linux check out this tutorial here

Ok, so now we have our virtual machine with SSH running on it. we can use this command in Hydra to start brute forcing the SSH login.

hydra -l admin -P passwordlist ssh://192.168.100.155 -V

-l admin The small l here states that I am going to specify a username use a capital L if you are going to specify a user list.-P passwordlist The capital P here says I’m going to be specifying a list of passwords in a file called passwordlist.ssh://192.168.100.155 This is the service we want to attack and the IP address of the SSH server.-V Verbose this will display the login and password it tries in the terminal for each attempt.

Once you run this command you should see all the attempts in the terminal like pictured below, notice where I have not added -t in the command the number of simultaneous logins will be 16 which is the default.

If you are interested, SSH logs access attempts in the /var/log/auth.log

To make this log a bit easier on the eyes you can use the Linux tail command to display the last x number of lines of your auth.log.

Use the following command to view 100 last lines of your SSH log.

tail -100 /var/log/auth.log | grep 'sshd'

To stop someone from brute forcing your SSH password you can turn off Password authentication altogether and enable SSH key authentication. If you are interested in setting up SSH key authentication check out my tutorial on SSH.

Webpage Login

Now, this is where things start to get fun, you can use hydra to brute force webpage logins. To get this to work you need to get some information about the login page like if its a post or a get request before you can construct your command in hydra.

The website login I am going to brute force is the DVWA (Damn Vulnerable Web App) which if you have already taken a look at my tutorial on Setting up a Vulnerable LAMP Server will already have setup and will be ready to go.

Also, you are going to need to have installed some sort of proxy to capture and identify the key parameters of the web login page so we can create our command in hydra. I will be using the Firefox plugin called Tamper Data but you can just as easily use Burp Suite.

Tamper Data now no longer works with the latest version of Firefox, check out my new tutorial Brute Forcing Web Logins with DVWA for the same tutorial below but using Burp Suite to capture the requests.

——————————————————————————

So to start, open up DVWA website in your browser “in my lab I go to http://192.168.100.155/dvwa” and login to the DVWA site with the default credentials of admin /password

You can brute force this main login page but it’s a little bit more advanced than what I want to get into here.

Once logged in, go down to DVWA Security button on the left-hand side of the page and make sure the security Level is set to low.

Once the security is set to low click the Brute Force button on the menu on the left-hand side.

This is the login page we are going to brute force.

Start by firing up Tamper Data, I normally do this in Firefox by hitting the alt key on the keyboard and selecting it from the Tools menu.

Now Tamper Data is open click Start Tamper and it will proxy all your Firefox traffic through Tamper Data allowing us to capture the login request.

Now go back to DVWA and enter any old username and password and click Login. Tamper Data will capture the login request and ask you if you want to tamper with it, just click submit.

Go back to Tamper Data and right click the first GET request captured and click copy.

Next, Open up any text editor and paste every thing that we copied from Tamper Data this should look something like this

We have now just got to take note of the message that the DVWA website spits back at us to tell us we have entered a wrong username and password.

We now have everything to construct our hydra command against this login page.

The command should look something like this below notice that all this information was gathered from Tamper Data and the only part that will be different on yours is the part after PHPSESSID=.

192.168.100.155 The target IP address of the server hosting the webpage-V Verbose this will display the login and password it tries in the terminal for each attempt.-ladmin The small l here states that I am going to specify a username use a capital L if you are going to specify a user list.-Ppasswordlist The capital P here says I’m going to be specifying a list of passwords in a file called passwordlist.http-get-form Tells hydra that you are going to be using the http-get-form module./dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login All these details were found in our tamper data request that we copied to our text editor.F=Username and/or password incorrect. This is the failed login message we received from the DVWA login page, this tells hydra when it’s not received we have a valid login.H=Cookie: PHPSESSID=rjevaetqb3dqbj1ph3nmjchel2; security=low This is the Cookie we were issued when we logged into the DVWA site at the start also found in the Tamper Data.

If you get an error like pictured below, where it gives you more than one valid password. It means that you have not constructed the command right and probably just need to check that the syntax is correct.

Normally it’s either the PHPSESSID is wrong or the failed logon message is not formatted correctly.

If you want more information on the hydra’s http-get-form command, take a look at Hydra’s http-get-form help page by typing hydra http-get-form -U in your terminal.

Help for module http-get-form:
============================================================================
Module http-get-form requires the page and the parameters for the web form.
By default this module is configured to follow a maximum of 5 redirections in
a row. It always gathers a new cookie from the same URL without variables
The parameters take three ":" separated values, plus optional values.
(Note: if you need a colon in the option string as value, escape it with "\:", but do not escape a "\" with "\\".)
Syntax: <url>:<form parameters>:<condition string>[:<optional>[:<optional>]
First is the page on the server to GET or POST to (URL).
Second is the POST/GET variables (taken from either the browser, proxy, etc.
with usernames and passwords being replaced in the "^USER^" and "^PASS^"
placeholders (FORM PARAMETERS)
Third is the string that it checks for an *invalid* login (by default)
Invalid condition login check can be preceded by "F=", successful condition
login check must be preceded by "S=".
This is where most people get it wrong. You have to check the webapp what a
failed string looks like and put it in this parameter!
The following parameters are optional:
C=/page/uri to define a different page to gather initial cookies from
(h|H)=My-Hdr\: foo to send a user defined HTTP header with each request
^USER^ and ^PASS^ can also be put into these headers!
Note: 'h' will add the user-defined header at the end
regardless it's already being sent by Hydra or not.
'H' will replace the value of that header if it exists, by the
one supplied by the user, or add the header at the end
Note that if you are going to put colons (:) in your headers you should escape them with a backslash (\).
All colons that are not option separators should be escaped (see the examples above and below).
You can specify a header without escaping the colons, but that way you will not be able to put colons
in the header value itself, as they will be interpreted by hydra as option separators.
Examples:
"/login.php:user=^USER^&pass=^PASS^:incorrect"
"/login.php:user=^USER^&pass=^PASS^&colon=colon\:escape:S=authlog=.*success"
"/login.php:user=^USER^&pass=^PASS^&mid=123:authlog=.*failed"
"/:user=^USER&pass=^PASS^:failed:H=Authorization\: Basic dT1w:H=Cookie\: sessid=aaaa:h=X-User\: ^USER^"
"/exchweb/bin/auth/owaauth.dll:destination=http%3A%2F%2F<target>%2Fexchange&flags=0&username=<domain>%5C^USER^&password=^PASS^&SubmitCreds=x&trusted=0:reason=:C=/exchweb"

That’s all I’m going to do for now on brute forcing Passwords with THC-Hydra. If there are any more you would like me to show you or you have some feed back for me please leave a comment below.

Hi,
Very nice post and very useful. I have a doubt. I have got the same error as you shown in the last screen shot. “1 of 1 target successfully completed, 12 valid passwords found”.
I am not sure what is wrong in the command i tried in 2 different ways, both time i have same error

I have been working on an adapter running Linux. I know the user name, however I forgotten the password. So, I have been using hydra 8.6 off of the latest Kali release and I am not getting the response I think I should be getting.

I am hoping you maybe able to help! I have a Linux adapter I am working with and have forgotten the password. I know the user name! I was working with my recent version of Kali and hydra (8..6) and noted this might be a good test/use for the tool.

The only thing I can think of is maybe your smashing the telnet session with too many tasks at once, try dropping the number down to 5 and try again lose the -s 23 as Hydra already knows its port 23 because you have added the command telnet on the end.

Thanks for the idea’s! I ran the modified command you passed to me and the system returned a segmentation error. I re-examined the man pages and I went option by option. After about a dozen tries… I got it to work, I ended up dropping the wait to 1 (-w 1). Another parameter in which I found different… it liked -s 23 (for telnet) instead to IP_ADD:23 or IP_ADD telnet.

Hey DT thanks for letting me know.
Hydra can be quite fussy on how you structure your command, a lot of the time you need to just adjust the -w wait and -t tasks for your command its worth starting low say -t 5 and keep increasing this until you start getting errors as by default this is set to 16.

Hi, I don’t want to access the actual website that the password is to, I am just trying to crack it so I know what it is. Is there a simpler way of using the GUI to just brute force (I know this person uses pretty random passwords with various character types) this password? I also noticed that all the passwords from this particular dump started with $2a$08$… is that something that I should leave out or keep in when attempting to ultimately crack.

It all depends on what you are trying to brute force but you should be able to use the hydra GUI just the same as the command line.

That password hash you specified ($2a$08$)is part of a bcrypt hash, which to be truthful is going to be really hard to brute force and probably worth looking into other avenues to get the information you need.

What other methods do you suggest I use? I can’t use social engineering or trojans or anything like that. So I def have to crack it… And I think the password is probably pretty complex… rainbow tables or something?

I think unless you’re a government agency there is no feasible way to crack it…

but you might have a fighting chance if you have £10,000 password cracking rig and hashcat but even this process will take probably 4 years to crack and by that point they may have already changed it to something else and the costs to run a rig for that amount of time would be paranormal.

How comes you are after the password so bad?

Just remember the password is only the key to the gate there is always other options to climb over the defences…

CAN SOME ONE TYPE THE COMMAND LINE FOR G MAIL SOME ONE HACKED MY GMAIL IM STILL LOGED ON BUT THEY CHANGED MY PW AND TOOK OFF MY REOCVERY EMAIL SCARED TO LOG OUT NEED TO GRAB THE MORONS PW REVERT BACK TO MY SELF I DONT KNOW THE COMAND FOR IT

My personal advice for your predicament is to speak to Gmail support and see if they can help you out, more than likely you have used the same username and password elsewhere on the internet and that’s how your account has been compromised. you can check this by going to https://haveibeenpwned.com/

You can’t really use hydra alone to brute force a Gmail account as after 5 failed logins your IP will be blocked…

You really need to run Hydra through a web proxy or Tor to change your IP address every couple of mins.